The ravings of a SANS/GIAC GSE (Compliance & Malware)
For more information on my role as a presenter and commentator on IT Security, Digital Forensics Statistics and Data Mining;
E-mail me: "craigswright @ acm.org".

Dr. Craig S Wright GSE

Followers

My Profile

Share it

What is happening

BooksI have a few books and another is on the way for 2012. Firstly, I have to plug the first in the Syngress Series of books on IT Audit. This is a comprehensive compliance hand governance handbook with EVERYTHING (from the high level to the hands on for the expert) to get you started in IT compliance and systems security. The main book is "IT REGULATORY AND STANDARDS COMPLIANCE HANDBOOK". This is the first in a series I have planned and more will follow in time. There will be electronic updates to this book over time to maintain it to a current level over time.

I will be working on co-authoring a book on CIP (Critical Infrastructure Protection) - but more on this later.

On top of this I recycle computers. To do this I take 1.5 to 2 year old corporate lease computers and refurbish them so that they can run the most current programs.

The question is - what do you do to help?

If you do not have the time, have you though about a donation?

This blog has been monetarised. This is where the money goes. By clicking and purchasing on this site, you help Burnside and Hackers for Charity. All monies earned here are split 50/50 between these two charities.

Who I am...or what...

Visitor locations

Thursday, 8 May 2008

In many ways, although this is slowly changing, and the Internet and Web have many analogous parallels to the ideal of a frontier. The Wild Wild Web (west) of the Internet (Behan, 1995) is slowly fading as new laws and methods of enforcement are brought to bear.

In this frontier world of the Internet, the mythology of the antihero has played a large part in the cultural development surrounding the Internet. In this analogous context, people such as Simon Vallor play the role of the western hero. Like Butch and Sundance in the US, or the Kelly's in Australia, the role of the outlaw takes a particularly strong psychological enticement to those who feel disenfranchised (Zur, 1991).

Through the creation of computer code to wreak digital havoc, the antihero makes his/her stand against society by thrusting themselves into the limelight. Like the outlaws of old, their reputation requires that they are caught. By making an example of them in the public press and providing for a mythological level of intrigue and technological magic to detail the simple acts they create, the common press promulgates this analogy (Bowser, 2004).

To burst this bubble, we need to demystify the antihero. We need to show them what they are. People like Kevin Mitnick for instance have grown in infamy through their exploits (Littman, 1997). However, all they have done is break the law. Mr Mitnick was a simple confidence trickster with skill in the ability to deceive. Why do we reward this?

Destruction is easy; creation is difficult and requires skill. By allowing the hacker antihero mythos to survive we allow this disenfranchisement of our rights and society's rules to occur.

5 comments:

You write a huge assumption into your post, that the hacker antihero is destructive. When you were in grade school hackers were writing the best information available about security. Hackers have created huge volumes of code and security knowledge. This is not to say that there are not destructive hackers or that the destructive hackers are the majority. Today most 'hackers' are not the antiheroes of yore, they are criminals and script kiddies. But to claim the mantle of creation and reject hackers contributions as wholly destructive is simply wrong.

And as for having to get caught for their exploits to become famous, that depends on what you consider famous. Plenty of hackers are famous without getting caught.

Nice list of references. Try revisiting the NIST site, the 800 series has some excellent new documents with a general IT security scope (115, 123, 30, 39, 92, 100, etc.) Also instructive are the Syngress books "Stealing The ..." which provide a hacker-eye view of the highly creative process of compromising system security.

First, thanks for thinking I am younger than I am. My first email account was in 1979, so we are talking the 80's for the timeframe of what you relate to based on the assertions.

Actually, I have also revisited the NIST site as well. I do it weekly, but the existance of a document does not make it a refernce or I could also add CIS and DISA ones.

You are also using the past assertion of a "hacker" mythos as a benevolent coder. This terminology has not been valid for decades. In the 90's there may have been a cracker / hacker divide, but perceptions are based on a common phrasiology and taxonomy not that of a few diehards.

When I was in grade school hackers where doing little to improve security other than ... well sorry I can not see it. We are talking 80's and pre web here.

You make an assertion of creativity. Please provide some evidence if any is available. You state that to "reject hackers contributions as wholly destructive is simply wrong". Please provide evidence to this assertion.

Or rather are we talking again the cult of the anti and people who want to think that they are bad...

I was not being facetious when I said it was a nice list of references, it is a good list. The reason to revisit the NIST web site is the large amount of new guidance released recently. The SP 800-123 Guidance on General Server Security is well worth a read. The SP 800-100 Information Security Handbook: A Guide for Managers is a good way to get managers (and especially Federal managers) up to speed. And speaking to your previous post about the SDLC, the draft of SP 800-64 Revision 2, Security Considerations in the SDLC was released in March.

If you want to reference happenings in the 80’s look no further than textfiles.com and thebbs.org. We can talk about hackers doing good in that time frame if you like. For example, there was the guy who discovered jackpotting and told the banks about this huge security hole in there ATM networks. Oddly enough that was hushed up, bankers don’t like news of bad security leaking out.

As to the question of 'evidence of this assertion' to creativity the evidence is in the head of the hacker. It’s that bit of creativity that looks at a nuance of system implementation and goes, “That’s not right” then finds a way to turn it into root access. Evidence of that is available at http://nvd.nist.gov For good examples of the creative process that happens in the hackers head when contemplating a system attack look to the Syngress "Stealing The Network" book series (How To Own A Continent, How To Own The Box, etc.). If ever there were a group of people who took the question "What if" seriously, these are they.

For evidence of the creative process, I'd start by pointing out that almost every major category of security software is derived from hacker tools. Even now many of the most useful software packages in the security field were originally written by hackers or derivative of hacker tools. Examples would be nmap, metasploit, crack, cain & abel, nessus, etc. More evidence in the hackers creativity in the security field can be easily had by walking down the halls of a Black Hat Briefing, DefCon, ShmooCon, H.O.P.E or any beery congregation of security experts.

Let’s talk about hackers who have done things in other creative arenas of creativity. Do you remember Operation Sun Devil where the Secret Service took down Steve Jackson Games? Why did they do that? Because the guy who wrote GURPS Cyberpunk, Lord Blankenship, was a hacker and happened to work at SJG. This miscarriage of justice led directly to the creation of the EFF. And there’s the Syngress series of books mentioned previously, “Stealing The Network”, which is written by hackers.

In one area I can only provide anecdotal evidence is that there is a disproportionately large showing of hackers and ex-hackers in the gaming industry. I think the first I knew of was Lord British's partner in business, Chuckles, coauthor of the Ultima series of games. Of course I say anecdotal because unless they choose to out themselves I’ll not be doing it for them.

And let's talk about a guy who arguably straddles the line between the old hacker definition and the new. According to Steven Levy this fellow considered himself the last true hacker. Symbolics accused him of theft of trade secrets for reverse engineering their software, which fits the new definition of hacker. At MIT he decrypted users passwords and sent them the plaintext. He also helped write Emacs, contributed to Lisp, founded the Free Software Foundation and inspired the creation of most of the codebase found on Linux systems. He was, of course, Richard Stallman.

As to whether I use the 'outdated' definition of a benevolent coder or a more narrow definition which is entirely restricted to computer criminals, I use neither in particular, but both in general. Which is to say I use the broad definition encompassing both along with the sense that a hacker is an investigator of their own curiosity who does not always stop investigating because due to questions of legality. Some hackers are black hat, some are grey hat, some are white hat and some even call themselves ethical. As a term 'hacker' is not now, never has been and never will be singularly synonymous with 'computer criminal'. Wiki's disambiguation page on hacker is eloquently unbiased on this point.

Pardon if I go silent, I will be out of town and offline for the weekend.